Files Date: 2015-08-04

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. Windows installer.

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. Linux release.

Red Hat Security Advisory 2015-1545-01 - OpenShift Enterprise by Red Hat is the company's cloud computing Platform-as-a-Service solution designed for on-premise or private cloud deployments. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. A flaw was found in the way SSL 3.0 handled padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining mode. This flaw allows a man-in-the-middle attacker to decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections.

Red Hat Security Advisory 2015-1543-01 - Red Hat JBoss Portal is the open source implementation of the Java EE suite of services and Portal services running atop Red Hat JBoss Enterprise Application Platform. It was found that PortletBridge PortletRequestDispatcher did not respect security constraints set by the servlet if a portlet request asked for rendering of a non-JSF resource such as JSP or HTML. A remote attacker could use this flaw to potentially bypass certain security constraints and gain access to restricted resources.

Ubuntu Security Notice 2677-1 - An uninitialized value issue was discovered in ICU. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service. A use-after-free was discovered in the GPU process implementation in Chromium. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking the program. Various other issues were also addressed.

Debian Linux Security Advisory 3328-2 - The security update for wordpress in DSA 3328 contained a regression. The patch for issue CVE-2015-5622 was faulty. A new package version has been released that backs this patch out pending resolution of the problem.

Debian Linux Security Advisory 3327-1 - Alex Rousskov of The Measurement Factory discovered that Squid3, a fully featured web proxy cache, does not correctly handle CONNECT method peer responses when configured with cache_peer and operating on explicit proxy traffic. This could allow remote clients to gain unrestricted access through a gateway proxy to its backend proxy.

There are several flaws in the HP ArcSight Logger search capabilities that cause it to provide invalid search results for any query that uses boolean expressions. This means that any query to search through data in the logs ArcSight collected is potentially incorrect if the query contains more than one search term.

I2P is an anonymizing network, offering a simple layer that identity-sensitive applications can use to securely communicate. All data is wrapped with several layers of encryption, and the network is both distributed and dynamic, with no trusted parties. This is the source code release version.

This Metasploit module embeds an exploit into an uncompressed map file (.h3m) for Heroes of Might and Magic III. Once the map is started in-game, a buffer overflow occurring when loading object sprite names leads to shellcode execution.

Botan is a C++ library of cryptographic algorithms, including AES, DES, SHA-1, RSA, DSA, Diffie-Hellman, and many others. It also supports X.509 certificates and CRLs, and PKCS #10 certificate requests, and has a high level filter/pipe message processing system. The library is easily portable to most systems and compilers, and includes a substantial tutorial and API reference.

Red Hat Security Advisory 2015-1539-01 - Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes. This release of Red Hat JBoss BPM Suite 6.1.2 serves as a replacement for Red Hat JBoss BPM Suite 6.1.0, and includes bug fixes and enhancements, which are documented in the README.txt file included with the patch files. The following security issues are also fixed with this release: It was found that Apache Camel's XML converter performed XML External Entity expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.

Red Hat Security Advisory 2015-1538-01 - Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules. This release of Red Hat JBoss BRMS 6.1.2 serves as a replacement for Red Hat JBoss BRMS 6.1.0, and includes bug fixes and enhancements, which are documented in the README.txt file included with the patch files. The following security issues are also fixed with this release: It was found that Apache Camel's XML converter performed XML External Entity expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.

Debian Linux Security Advisory 3326-1 - William Robinet and Stefan Cornelius discovered an integer overflow in Ghostscript, the GPL PostScript/PDF interpreter, which may result in denial of service or potentially execution of arbitrary code if a specially crafted file is opened.